EDR: search_query field no longer updating via /api/v1/watchlist on server version 7.7
search cancel

EDR: search_query field no longer updating via /api/v1/watchlist on server version 7.7

book

Article ID: 290648

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

API PUT requests to update watchlist search_query are not applied. Other watchlist field values do change

Environment

  • EDR Sever: 7.7.0

Cause

  • A change to 7.7 prevents the PUT command from altering the search query 
  • The PUT command does not create a new watchlist. Updating a watchlist with the same ID could already have tagged alerts/notifications would tie back to the watchlist_id which will show the updated search_query instead of original one

Resolution

  • Future research to allow the PUT command to create a new watchlist and update search_query is tracked with CB-40025. There is no ETA for when / if this will be implemented
  • As a workaround, create a new watchlist and remove the old watchlist. 
    1. Get watchlist data of the watchlist to be changed(ID USED 451):
      • Ex. $curl "https://localhost:443/api/v1/watchlist/451" -H "Content-Type: application/json" -H "X-Auth-Token: e941f264625f220b32a834faeffa62fdd9b7730f" -k
        {"id":"451","date_added":"2022-08-04 22:47:06.676965-04:00","name":"test1","description":"test1","index_type":"events","search_query":"q=q%3Dtest3.exe","last_hit":null,"last_hit_count":0,"search_timestamp":"2022-08-05T02:48:53.013Z","total_hits":"0","total_tags":"0","readonly":false,"enabled":true,"group_id":-1,"last_execution_time_ms":"21","last_execution_result":0}
    2. Create a json using the old watchlist data and new search_query data. Update the move_actions_from_watchlist_id to match the previous id (451):
      • edit.json:
        {"name":"test1","search_query":"q=q%3Dtest1.exe","description":"test1","index_type":"events","move_actions_from_watchlist_id":"451"} 
    3. Create the new watchlist. New ID will be returned
      • $curl -XPOST "https://localhost:443/api/v1/watchlist" -H "Content-Type: application/json" -H "X-Auth-Token: e941f264625f220b32a834faeffa62fdd9b7730f" -k [email protected]
        {"id":452} 
    4. Delete the previous watchlist ID
      • $curl -XDELETE "https://localhost:443/api/v1/watchlist/451" -H "X-Auth-Token: e941f264625f220b32a834faeffa62fdd9b7730f" -k
        {"result":"success"}